How to Identify and Remove the Japanese keyword hack

What is a Japanese keyword hack

This is a spam related hack where hackers inject Japanese words in your WordPress site title and description while it manipulates your Google Search Console site property and any submitted sitemaps. The search engine usually ends up choosing the one in the featured picture above. Hackers take advantage of this type of malware by inserting links to other sites into your pages, which are linked to their affiliate id, tricking your visitors and redirecting them to sites selling fake brand merchandise at half of the original price. Every time someone buys a product from those sites, the hacker will receive a commission for the sale.

How to find if your site is infected by the Japanese keyword hack

Step 1: Check Google Search Engine Results

Since this hack is only visible by search engines identifying infected pages in your WordPress website is not an easy task. One way to spot the hack is to run a search query in google for your domain for example “yourdomain.com” or “site:yourdomain.com” and see if the results display any Japanese words in your site title and description.

Step 3: Check your Google Search Engine Console for malware penalties

Most of our clients who ask us to clean their hacked WordPress site found out about the Japanese hack after receiving a warning in their Google Search Console account, similar to the one found below:

“Google has detected that your site has been hacked by a third party who created malicious, unexpected or harmful content on some of your pages. This issue affects your site’s reputation by showing the hacked content on your site or in search results. We recommend you remove the hacked content from your site as soon as possible. Once removed, our system will automatically reflect these changes as we update our index.Following are some example URLs. Review them to gain a better sense of where this hacked content appears, and how it may have been placed on your website. The list is not exhaustive.”

Step 2: Check for URL cloaking

In the previous Step, we asked you to check Google’s search engine results for your domain, if you followed any of those spammy links from your site and got redirected to your site 404 default page then you need to make sure this link isn’t cloaked. URL cloaking shows a different version of your page to the search engines and real human visitors. This way you will see that your site contains the Japanese hack in Google’s search engine results but if you try and visit that page you will be redirected to a not found page. Once more you can use Google Search Console and it’s “Fetch as Google” tool which lets you see if the requested URL is cloaked or not.

If you ever find yourself in this position then you must clean your site as soon as possible because Google will blacklist your website and your site visitors won’t be able to find it in Google’s search engine results nor visit it through their Chrome browsers. The longer you leave the hack in your website the bigger the damage.

How to clean the WordPress Japanese keyword hack

Considering that your hosting provider can’t help you in removing the Japanese spam malware, then you need to take action and remove the hack by cleaning your WordPress website. Below we’re attaching a simple guide which can help you spot and remove such malware. Keep in mind, though, that if you’re not experienced enough in malware cleanups you may not be able to fully clean your WordPress site.

Step 1: Create a backup of your site and archive it by compressing it

Use your hosting panel and create a backup of your live site, make sure the backup file is compressed(for example a zip file) so malware can’t start infecting the site again once its clean.

Step 2: Check your Google Search Engine Console

Log into your Google Search Engine Console and navigate to the sitemaps page, delete any sitemap which wasn’t submitted by you. You also need to take a look at the users who have access to this site property and remove any Owners or Users not created by you.

Step 3: Clean your .htaccess file

Use your Hosting Panel File Manager or an FTP client like Filezilla and browse to your WordPress site root directory. In there you should see a file under the name .htaccess, access it and see if there are any weird rules present. If you’re not experienced in working with .htaccess then delete it and create a new one using the same name. Then add the default WordPress htaccess rules and save it.

Step 4: Copy your WordPress configuration database connection strings

Another important file that hackers like to target and inject malware is your WordPress configuration file: wp-config.php. Experienced WordPress users can browse its contents and delete those who don’t seem to belong to wp-config.php default contents. If you don’t want mess with editing this important WordPress file then I suggest to copy your WordPress database connection strings and paste them inside the wp-config-sample.php replacing the default ones. Then go and delete wp-config.php file and rename wp-config-sample.php to wp-config.php.

Step 5: Replace your WordPress core files

Best and safest way for cleaning a hack or malware infection is to delete all of your site files and re-upload them freshly downloaded from WordPress.org. After writing down the WordPress version your site is using, delete all WordPress root core files and WordPress core directories. Then download the WordPress version your site was using from WordPress.org and upload all files and dirs your deleted.

Step 6: Replace all of your WordPress themes and plugins

In this step, you will repeat the replacement process of all your WordPress themes and plugins. You first need to write down all their names and versions, then download them from WordPress.org or any other site you first found them. Finally, delete all current theme and plugin dirs and upload the ones you just downloaded. You should also replace your wp-content/index.php file with the default one.

Step 7: Check your uploads dir

Browse your wp-content/uploads directory for any .php, .js and .ico files. Whenever you find one check if it has a weird file name and if its creation date was a recent one, also check its content for weird characters and strings like “base64_decode, rot13, eval, strrev, gzinflate“. If you find any such file then delete it. Keep in mind that your media files directories under wp-content/upload shouldn’t contain any .php, .js or .ico files so if you find any delete them right away.

Step 8: Ask Google to re-examine your site

Once finished I suggest you monitor any files changes made in your site for the next day, then audit them, and if they seem legit ask Google from your Search Console to re-consider your site. After a few days, they will send you a reply and hopefully whitelist your site again.

Notice:

This tutorial should be followed carefully or else your site may have loading issues. Be aware, however, that cleaning malware through a tutorial may not lead success all of the time, since there are many other things which can’t be displayed in a tutorial to consider when cleaning a WordPress site. If you don’t feel comfortable in your ability to clean your WordPress site, then feel free to request a quote from us for the removal of the Japanese keyword hack from your WordPress site.